Add specs to test disallow-unsafe-type (#5746)

Arkatufus · web-flow · commit 9f23e04cc3bb · 2022-04-15T18:30:02.000-05:00
* Add spec to test disallow-unsafe-type

* Fix Hyperion disallow-unsafe-type spec
diff --git a/src/contrib/serializers/Akka.Serialization.Hyperion.Tests/HyperionConfigTests.cs b/src/contrib/serializers/Akka.Serialization.Hyperion.Tests/HyperionConfigTests.cs
@@ -7,8 +7,10 @@
 
 using System;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
 using System.Runtime.Serialization;
+using System.Threading.Tasks;
 using Akka.Actor;
 using Akka.Configuration;
 using FluentAssertions;
@@ -246,6 +248,71 @@ public void Hyperion_serializer_should_allow_to_setup_surrogates()
                 FooHyperionSurrogate.Surrogated[0].Should().BeEquivalentTo(expected);
             }
         }
+        
+        [Fact]
+        public async Task CanDeserializeANaughtyTypeWhenAllowed()
+        {
+            var config = ConfigurationFactory.ParseString(@"
+akka {
+    serialize-messages = on
+    actor {
+        serializers {
+            hyperion = ""Akka.Serialization.HyperionSerializer, Akka.Serialization.Hyperion""
+        }
+        serialization-bindings {
+            ""System.Object"" = hyperion
+        }
+        serialization-settings.hyperion.disallow-unsafe-type = false
+    }
+}");
+            var system = ActorSystem.Create("unsafeSystem", config);
+            
+            try
+            {
+                var serializer = system.Serialization.FindSerializerForType(typeof(DirectoryInfo));
+                var di = new DirectoryInfo(@"c:\");
+
+                var serialized = serializer.ToBinary(di);
+                var deserialized = serializer.FromBinary<DirectoryInfo>(serialized);
+            }
+            finally
+            {
+                await system.Terminate();
+            }
+        }
+        
+        [Fact]
+        public async Task CantDeserializeANaughtyTypeByDefault()
+        {
+            var config = ConfigurationFactory.ParseString(@"
+akka {
+    serialize-messages = on
+    actor {
+        serializers {
+            hyperion = ""Akka.Serialization.HyperionSerializer, Akka.Serialization.Hyperion""
+        }
+        serialization-bindings {
+            ""System.Object"" = hyperion
+        }
+    }
+}");
+            var system = ActorSystem.Create("unsafeSystem", config);
+            
+            try
+            {
+                var serializer = system.Serialization.FindSerializerForType(typeof(DirectoryInfo));
+                var di = new DirectoryInfo(@"c:\");
+                
+                var serialized = serializer.ToBinary(di);
+                var ex = Assert.Throws<SerializationException>(() => serializer.FromBinary<DirectoryInfo>(serialized));
+                ex.InnerException.Should().BeOfType<EvilDeserializationException>();
+            }
+            finally
+            {
+                await system.Terminate();
+            }
+        }
+                
 
         public static IEnumerable<object[]> TypeFilterObjectFactory()
         {
diff --git a/src/contrib/serializers/Akka.Serialization.Hyperion.Tests/HyperionSerializerSetupSpec.cs b/src/contrib/serializers/Akka.Serialization.Hyperion.Tests/HyperionSerializerSetupSpec.cs
@@ -35,8 +35,12 @@ private static Config Config
 }
 ");
 
+        private readonly ITestOutputHelper _output;
+
         public HyperionSerializerSetupSpec(ITestOutputHelper output) : base (Config, output)
-        { }
+        {
+            _output = output;
+        }
 
         [Fact]
         public void Setup_should_be_converted_to_settings_correctly()
@@ -128,14 +132,22 @@ public void Setup_surrogate_should_work()
 
         [Theory]
         [MemberData(nameof(DangerousObjectFactory))]
-        public void Setup_disallow_unsafe_type_should_work(object dangerousObject, Type type)
+        public void Setup_disallow_unsafe_type_should_work_by_default(byte[] dangerousObject, Type type)
         {
+            _output.WriteLine($"Dangerous type: [{type}]");
             var deserializer = new HyperionSerializer((ExtendedActorSystem)Sys, HyperionSerializerSettings.Default);
-            var serializer = new HyperionSerializer((ExtendedActorSystem)Sys, deserializer.Settings.WithDisallowUnsafeType(false));
-            var serialized = serializer.ToBinary(dangerousObject);
-            deserializer.Invoking(s => s.FromBinary(serialized, type)).Should().Throw<SerializationException>();
+            deserializer.Invoking(s => s.FromBinary(dangerousObject, type)).Should().Throw<SerializationException>();
         }
 
+        [Theory]
+        [MemberData(nameof(DangerousObjectFactory))]
+        public void Setup_should_deserialize_unsafe_type_if_allowed(byte[] dangerousObject, Type type)
+        {
+            _output.WriteLine($"Dangerous type: [{type}]");
+            var deserializer = new HyperionSerializer((ExtendedActorSystem)Sys, HyperionSerializerSettings.Default.WithDisallowUnsafeType(false));
+            deserializer.FromBinary(dangerousObject, type); // should not throw
+        }
+        
         [Theory]
         [MemberData(nameof(TypeFilterObjectFactory))]
         public void Setup_TypeFilter_should_filter_types_properly(object sampleObject, bool shouldSucceed)
@@ -170,17 +182,23 @@ public static IEnumerable<object[]> DangerousObjectFactory()
         {
             var isWindow = RuntimeInformation.IsOSPlatform(OSPlatform.Windows);
             
-            yield return new object[]{ new FileInfo("C:\\Windows\\System32"), typeof(FileInfo) };
-            yield return new object[]{ new ClaimsIdentity(), typeof(ClaimsIdentity)};
+            yield return new object[]{ Serialize(new FileInfo("C:\\Windows\\System32")), typeof(FileInfo) };
+            yield return new object[]{ Serialize(new ClaimsIdentity()), typeof(ClaimsIdentity)};
             if (isWindow)
             {
-                yield return new object[]{ WindowsIdentity.GetAnonymous(), typeof(WindowsIdentity) };
-                yield return new object[]{ new WindowsPrincipal(WindowsIdentity.GetAnonymous()), typeof(WindowsPrincipal)};
+                yield return new object[]{ Serialize(WindowsIdentity.GetAnonymous()), typeof(WindowsIdentity) };
+                yield return new object[]{ Serialize(new WindowsPrincipal(WindowsIdentity.GetAnonymous())), typeof(WindowsPrincipal)};
             }
 #if NET471
-            yield return new object[]{ new Process(), typeof(Process)};
+            yield return new object[]{ Serialize(new Process()), typeof(Process)};
 #endif
-            yield return new object[]{ new ClaimsIdentity(), typeof(ClaimsIdentity)};
+            yield return new object[]{ Serialize(new ClaimsIdentity()), typeof(ClaimsIdentity)};
+        }
+
+        private static byte[] Serialize(object obj)
+        {
+            var serializer = new HyperionSerializer(null, HyperionSerializerSettings.Default.WithDisallowUnsafeType(false));
+            return serializer.ToBinary(obj);
         }
 
         public static IEnumerable<object[]> TypeFilterObjectFactory()
